xref: /openbsd/lib/libssl/t1_lib.c (revision 56b1ac2f)
1 /* $OpenBSD: t1_lib.c,v 1.198 2023/11/18 10:51:09 tb Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <stdio.h>
113 
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/objects.h>
117 #include <openssl/ocsp.h>
118 
119 #include "bytestring.h"
120 #include "ssl_local.h"
121 #include "ssl_sigalgs.h"
122 #include "ssl_tlsext.h"
123 
124 static int tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert,
125     SSL_SESSION **psess);
126 
127 int
tls1_new(SSL * s)128 tls1_new(SSL *s)
129 {
130 	if (!ssl3_new(s))
131 		return (0);
132 	s->method->ssl_clear(s);
133 	return (1);
134 }
135 
136 void
tls1_free(SSL * s)137 tls1_free(SSL *s)
138 {
139 	if (s == NULL)
140 		return;
141 
142 	free(s->tlsext_session_ticket);
143 	ssl3_free(s);
144 }
145 
146 void
tls1_clear(SSL * s)147 tls1_clear(SSL *s)
148 {
149 	ssl3_clear(s);
150 	s->version = s->method->version;
151 }
152 
153 struct supported_group {
154 	int nid;
155 	int bits;
156 };
157 
158 /*
159  * Supported groups (formerly known as named curves)
160  * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8
161  */
162 static const struct supported_group nid_list[] = {
163 	[1] = {
164 		.nid = NID_sect163k1,
165 		.bits = 80,
166 	},
167 	[2] = {
168 		.nid = NID_sect163r1,
169 		.bits = 80,
170 	},
171 	[3] = {
172 		.nid = NID_sect163r2,
173 		.bits = 80,
174 	},
175 	[4] = {
176 		.nid = NID_sect193r1,
177 		.bits = 80,
178 	},
179 	[5] = {
180 		.nid = NID_sect193r2,
181 		.bits = 80,
182 	},
183 	[6] = {
184 		.nid = NID_sect233k1,
185 		.bits = 112,
186 	},
187 	[7] = {
188 		.nid = NID_sect233r1,
189 		.bits = 112,
190 	},
191 	[8] = {
192 		.nid = NID_sect239k1,
193 		.bits = 112,
194 	},
195 	[9] = {
196 		.nid = NID_sect283k1,
197 		.bits = 128,
198 	},
199 	[10] = {
200 		.nid = NID_sect283r1,
201 		.bits = 128,
202 	},
203 	[11] = {
204 		.nid = NID_sect409k1,
205 		.bits = 192,
206 	},
207 	[12] = {
208 		.nid = NID_sect409r1,
209 		.bits = 192,
210 	},
211 	[13] = {
212 		.nid = NID_sect571k1,
213 		.bits = 256,
214 	},
215 	[14] = {
216 		.nid = NID_sect571r1,
217 		.bits = 256,
218 	},
219 	[15] = {
220 		.nid = NID_secp160k1,
221 		.bits = 80,
222 	},
223 	[16] = {
224 		.nid = NID_secp160r1,
225 		.bits = 80,
226 	},
227 	[17] = {
228 		.nid = NID_secp160r2,
229 		.bits = 80,
230 	},
231 	[18] = {
232 		.nid = NID_secp192k1,
233 		.bits = 80,
234 	},
235 	[19] = {
236 		.nid = NID_X9_62_prime192v1,	/* aka secp192r1 */
237 		.bits = 80,
238 	},
239 	[20] = {
240 		.nid = NID_secp224k1,
241 		.bits = 112,
242 	},
243 	[21] = {
244 		.nid = NID_secp224r1,
245 		.bits = 112,
246 	},
247 	[22] = {
248 		.nid = NID_secp256k1,
249 		.bits = 128,
250 	},
251 	[23] = {
252 		.nid = NID_X9_62_prime256v1,	/* aka secp256r1 */
253 		.bits = 128,
254 	},
255 	[24] = {
256 		.nid = NID_secp384r1,
257 		.bits = 192,
258 	},
259 	[25] = {
260 		.nid = NID_secp521r1,
261 		.bits = 256,
262 	},
263 	[26] = {
264 		.nid = NID_brainpoolP256r1,
265 		.bits = 128,
266 	},
267 	[27] = {
268 		.nid = NID_brainpoolP384r1,
269 		.bits = 192,
270 	},
271 	[28] = {
272 		.nid = NID_brainpoolP512r1,
273 		.bits = 256,
274 	},
275 	[29] = {
276 		.nid = NID_X25519,
277 		.bits = 128,
278 	},
279 };
280 
281 #define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0]))
282 
283 #if 0
284 static const uint8_t ecformats_list[] = {
285 	TLSEXT_ECPOINTFORMAT_uncompressed,
286 	TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
287 	TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
288 };
289 #endif
290 
291 static const uint8_t ecformats_default[] = {
292 	TLSEXT_ECPOINTFORMAT_uncompressed,
293 };
294 
295 #if 0
296 static const uint16_t ecgroups_list[] = {
297 	29,			/* X25519 (29) */
298 	14,			/* sect571r1 (14) */
299 	13,			/* sect571k1 (13) */
300 	25,			/* secp521r1 (25) */
301 	28,			/* brainpoolP512r1 (28) */
302 	11,			/* sect409k1 (11) */
303 	12,			/* sect409r1 (12) */
304 	27,			/* brainpoolP384r1 (27) */
305 	24,			/* secp384r1 (24) */
306 	9,			/* sect283k1 (9) */
307 	10,			/* sect283r1 (10) */
308 	26,			/* brainpoolP256r1 (26) */
309 	22,			/* secp256k1 (22) */
310 	23,			/* secp256r1 (23) */
311 	8,			/* sect239k1 (8) */
312 	6,			/* sect233k1 (6) */
313 	7,			/* sect233r1 (7) */
314 	20,			/* secp224k1 (20) */
315 	21,			/* secp224r1 (21) */
316 	4,			/* sect193r1 (4) */
317 	5,			/* sect193r2 (5) */
318 	18,			/* secp192k1 (18) */
319 	19,			/* secp192r1 (19) */
320 	1,			/* sect163k1 (1) */
321 	2,			/* sect163r1 (2) */
322 	3,			/* sect163r2 (3) */
323 	15,			/* secp160k1 (15) */
324 	16,			/* secp160r1 (16) */
325 	17,			/* secp160r2 (17) */
326 };
327 #endif
328 
329 static const uint16_t ecgroups_client_default[] = {
330 	29,			/* X25519 (29) */
331 	23,			/* secp256r1 (23) */
332 	24,			/* secp384r1 (24) */
333 	25,			/* secp521r1 (25) */
334 };
335 
336 static const uint16_t ecgroups_server_default[] = {
337 	29,			/* X25519 (29) */
338 	23,			/* secp256r1 (23) */
339 	24,			/* secp384r1 (24) */
340 };
341 
342 int
tls1_ec_group_id2nid(uint16_t group_id,int * out_nid)343 tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
344 {
345 	int nid;
346 
347 	if (group_id >= NID_LIST_LEN)
348 		return 0;
349 
350 	if ((nid = nid_list[group_id].nid) == 0)
351 		return 0;
352 
353 	*out_nid = nid;
354 
355 	return 1;
356 }
357 
358 int
tls1_ec_group_id2bits(uint16_t group_id,int * out_bits)359 tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
360 {
361 	int bits;
362 
363 	if (group_id >= NID_LIST_LEN)
364 		return 0;
365 
366 	if ((bits = nid_list[group_id].bits) == 0)
367 		return 0;
368 
369 	*out_bits = bits;
370 
371 	return 1;
372 }
373 
374 int
tls1_ec_nid2group_id(int nid,uint16_t * out_group_id)375 tls1_ec_nid2group_id(int nid, uint16_t *out_group_id)
376 {
377 	uint16_t group_id;
378 
379 	if (nid == 0)
380 		return 0;
381 
382 	for (group_id = 0; group_id < NID_LIST_LEN; group_id++) {
383 		if (nid_list[group_id].nid == nid) {
384 			*out_group_id = group_id;
385 			return 1;
386 		}
387 	}
388 
389 	return 0;
390 }
391 
392 /*
393  * Return the appropriate format list. If client_formats is non-zero, return
394  * the client/session formats. Otherwise return the custom format list if one
395  * exists, or the default formats if a custom list has not been specified.
396  */
397 void
tls1_get_formatlist(const SSL * s,int client_formats,const uint8_t ** pformats,size_t * pformatslen)398 tls1_get_formatlist(const SSL *s, int client_formats, const uint8_t **pformats,
399     size_t *pformatslen)
400 {
401 	if (client_formats != 0) {
402 		*pformats = s->session->tlsext_ecpointformatlist;
403 		*pformatslen = s->session->tlsext_ecpointformatlist_length;
404 		return;
405 	}
406 
407 	*pformats = s->tlsext_ecpointformatlist;
408 	*pformatslen = s->tlsext_ecpointformatlist_length;
409 	if (*pformats == NULL) {
410 		*pformats = ecformats_default;
411 		*pformatslen = sizeof(ecformats_default);
412 	}
413 }
414 
415 /*
416  * Return the appropriate group list. If client_groups is non-zero, return
417  * the client/session groups. Otherwise return the custom group list if one
418  * exists, or the default groups if a custom list has not been specified.
419  */
420 void
tls1_get_group_list(const SSL * s,int client_groups,const uint16_t ** pgroups,size_t * pgroupslen)421 tls1_get_group_list(const SSL *s, int client_groups, const uint16_t **pgroups,
422     size_t *pgroupslen)
423 {
424 	if (client_groups != 0) {
425 		*pgroups = s->session->tlsext_supportedgroups;
426 		*pgroupslen = s->session->tlsext_supportedgroups_length;
427 		return;
428 	}
429 
430 	*pgroups = s->tlsext_supportedgroups;
431 	*pgroupslen = s->tlsext_supportedgroups_length;
432 	if (*pgroups != NULL)
433 		return;
434 
435 	if (!s->server) {
436 		*pgroups = ecgroups_client_default;
437 		*pgroupslen = sizeof(ecgroups_client_default) / 2;
438 	} else {
439 		*pgroups = ecgroups_server_default;
440 		*pgroupslen = sizeof(ecgroups_server_default) / 2;
441 	}
442 }
443 
444 static int
tls1_get_group_lists(const SSL * ssl,const uint16_t ** pref,size_t * preflen,const uint16_t ** supp,size_t * supplen)445 tls1_get_group_lists(const SSL *ssl, const uint16_t **pref, size_t *preflen,
446     const uint16_t **supp, size_t *supplen)
447 {
448 	unsigned long server_pref;
449 
450 	/* Cannot do anything on the client side. */
451 	if (!ssl->server)
452 		return 0;
453 
454 	server_pref = (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
455 	tls1_get_group_list(ssl, (server_pref == 0), pref, preflen);
456 	tls1_get_group_list(ssl, (server_pref != 0), supp, supplen);
457 
458 	return 1;
459 }
460 
461 static int
tls1_group_id_present(uint16_t group_id,const uint16_t * list,size_t list_len)462 tls1_group_id_present(uint16_t group_id, const uint16_t *list, size_t list_len)
463 {
464 	size_t i;
465 
466 	for (i = 0; i < list_len; i++) {
467 		if (group_id == list[i])
468 			return 1;
469 	}
470 
471 	return 0;
472 }
473 
474 int
tls1_count_shared_groups(const SSL * ssl,size_t * out_count)475 tls1_count_shared_groups(const SSL *ssl, size_t *out_count)
476 {
477 	size_t count, preflen, supplen, i;
478 	const uint16_t *pref, *supp;
479 
480 	if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen))
481 		return 0;
482 
483 	count = 0;
484 	for (i = 0; i < preflen; i++) {
485 		if (!tls1_group_id_present(pref[i], supp, supplen))
486 			continue;
487 
488 		if (!ssl_security_shared_group(ssl, pref[i]))
489 			continue;
490 
491 		count++;
492 	}
493 
494 	*out_count = count;
495 
496 	return 1;
497 }
498 
499 static int
tls1_group_by_index(const SSL * ssl,size_t n,int * out_nid,int (* ssl_security_fn)(const SSL *,uint16_t))500 tls1_group_by_index(const SSL *ssl, size_t n, int *out_nid,
501     int (*ssl_security_fn)(const SSL *, uint16_t))
502 {
503 	size_t count, preflen, supplen, i;
504 	const uint16_t *pref, *supp;
505 
506 	if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen))
507 		return 0;
508 
509 	count = 0;
510 	for (i = 0; i < preflen; i++) {
511 		if (!tls1_group_id_present(pref[i], supp, supplen))
512 			continue;
513 
514 		if (!ssl_security_fn(ssl, pref[i]))
515 			continue;
516 
517 		if (count++ == n)
518 			return tls1_ec_group_id2nid(pref[i], out_nid);
519 	}
520 
521 	return 0;
522 }
523 
524 int
tls1_get_shared_group_by_index(const SSL * ssl,size_t index,int * out_nid)525 tls1_get_shared_group_by_index(const SSL *ssl, size_t index, int *out_nid)
526 {
527 	return tls1_group_by_index(ssl, index, out_nid,
528 	    ssl_security_shared_group);
529 }
530 
531 int
tls1_get_supported_group(const SSL * ssl,int * out_nid)532 tls1_get_supported_group(const SSL *ssl, int *out_nid)
533 {
534 	return tls1_group_by_index(ssl, 0, out_nid,
535 	    ssl_security_supported_group);
536 }
537 
538 int
tls1_set_groups(uint16_t ** out_group_ids,size_t * out_group_ids_len,const int * groups,size_t ngroups)539 tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len,
540     const int *groups, size_t ngroups)
541 {
542 	uint16_t *group_ids;
543 	size_t i;
544 
545 	if ((group_ids = calloc(ngroups, sizeof(uint16_t))) == NULL)
546 		return 0;
547 
548 	for (i = 0; i < ngroups; i++) {
549 		if (!tls1_ec_nid2group_id(groups[i], &group_ids[i])) {
550 			free(group_ids);
551 			return 0;
552 		}
553 	}
554 
555 	free(*out_group_ids);
556 	*out_group_ids = group_ids;
557 	*out_group_ids_len = ngroups;
558 
559 	return 1;
560 }
561 
562 int
tls1_set_group_list(uint16_t ** out_group_ids,size_t * out_group_ids_len,const char * groups)563 tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
564     const char *groups)
565 {
566 	uint16_t *new_group_ids, *group_ids = NULL;
567 	size_t ngroups = 0;
568 	char *gs, *p, *q;
569 	int nid;
570 
571 	if ((gs = strdup(groups)) == NULL)
572 		return 0;
573 
574 	q = gs;
575 	while ((p = strsep(&q, ":")) != NULL) {
576 		nid = OBJ_sn2nid(p);
577 		if (nid == NID_undef)
578 			nid = OBJ_ln2nid(p);
579 		if (nid == NID_undef)
580 			nid = EC_curve_nist2nid(p);
581 		if (nid == NID_undef)
582 			goto err;
583 
584 		if ((new_group_ids = reallocarray(group_ids, ngroups + 1,
585 		    sizeof(uint16_t))) == NULL)
586 			goto err;
587 		group_ids = new_group_ids;
588 
589 		if (!tls1_ec_nid2group_id(nid, &group_ids[ngroups]))
590 			goto err;
591 
592 		ngroups++;
593 	}
594 
595 	free(gs);
596 	free(*out_group_ids);
597 	*out_group_ids = group_ids;
598 	*out_group_ids_len = ngroups;
599 
600 	return 1;
601 
602  err:
603 	free(gs);
604 	free(group_ids);
605 
606 	return 0;
607 }
608 
609 /* Check that a group is one of our preferences. */
610 int
tls1_check_group(SSL * s,uint16_t group_id)611 tls1_check_group(SSL *s, uint16_t group_id)
612 {
613 	const uint16_t *groups;
614 	size_t groupslen, i;
615 
616 	tls1_get_group_list(s, 0, &groups, &groupslen);
617 
618 	for (i = 0; i < groupslen; i++) {
619 		if (!ssl_security_supported_group(s, groups[i]))
620 			continue;
621 		if (groups[i] == group_id)
622 			return 1;
623 	}
624 	return 0;
625 }
626 
627 /* For an EC key set TLS ID and required compression based on parameters. */
628 static int
tls1_set_ec_id(uint16_t * group_id,uint8_t * comp_id,EC_KEY * ec)629 tls1_set_ec_id(uint16_t *group_id, uint8_t *comp_id, EC_KEY *ec)
630 {
631 	const EC_GROUP *grp;
632 	const EC_METHOD *meth;
633 	int prime_field;
634 	int nid;
635 
636 	if (ec == NULL)
637 		return (0);
638 
639 	/* Determine whether the group is defined over a prime field. */
640 	if ((grp = EC_KEY_get0_group(ec)) == NULL)
641 		return (0);
642 	if ((meth = EC_GROUP_method_of(grp)) == NULL)
643 		return (0);
644 	prime_field = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field);
645 
646 	/* Determine group ID. */
647 	nid = EC_GROUP_get_curve_name(grp);
648 	/* If we have an ID set it, otherwise set arbitrary explicit group. */
649 	if (!tls1_ec_nid2group_id(nid, group_id))
650 		*group_id = prime_field ? 0xff01 : 0xff02;
651 
652 	if (comp_id == NULL)
653 		return (1);
654 
655 	/* Specify the compression identifier. */
656 	if (EC_KEY_get0_public_key(ec) == NULL)
657 		return (0);
658 	*comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
659 	if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
660 		*comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
661 		if (prime_field)
662 			*comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
663 	}
664 
665 	return (1);
666 }
667 
668 /* Check that an EC key is compatible with extensions. */
669 static int
tls1_check_ec_key(SSL * s,const uint16_t * group_id,const uint8_t * comp_id)670 tls1_check_ec_key(SSL *s, const uint16_t *group_id, const uint8_t *comp_id)
671 {
672 	size_t groupslen, formatslen, i;
673 	const uint16_t *groups;
674 	const uint8_t *formats;
675 
676 	/*
677 	 * Check point formats extension if present, otherwise everything
678 	 * is supported (see RFC4492).
679 	 */
680 	tls1_get_formatlist(s, 1, &formats, &formatslen);
681 	if (comp_id != NULL && formats != NULL) {
682 		for (i = 0; i < formatslen; i++) {
683 			if (formats[i] == *comp_id)
684 				break;
685 		}
686 		if (i == formatslen)
687 			return (0);
688 	}
689 
690 	/*
691 	 * Check group list if present, otherwise everything is supported.
692 	 */
693 	tls1_get_group_list(s, 1, &groups, &groupslen);
694 	if (group_id != NULL && groups != NULL) {
695 		for (i = 0; i < groupslen; i++) {
696 			if (groups[i] == *group_id)
697 				break;
698 		}
699 		if (i == groupslen)
700 			return (0);
701 	}
702 
703 	return (1);
704 }
705 
706 /* Check EC server key is compatible with client extensions. */
707 int
tls1_check_ec_server_key(SSL * s)708 tls1_check_ec_server_key(SSL *s)
709 {
710 	SSL_CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
711 	uint16_t group_id;
712 	uint8_t comp_id;
713 	EC_KEY *eckey;
714 	EVP_PKEY *pkey;
715 
716 	if (cpk->x509 == NULL || cpk->privatekey == NULL)
717 		return (0);
718 	if ((pkey = X509_get0_pubkey(cpk->x509)) == NULL)
719 		return (0);
720 	if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
721 		return (0);
722 	if (!tls1_set_ec_id(&group_id, &comp_id, eckey))
723 		return (0);
724 
725 	return tls1_check_ec_key(s, &group_id, &comp_id);
726 }
727 
728 int
ssl_check_clienthello_tlsext_early(SSL * s)729 ssl_check_clienthello_tlsext_early(SSL *s)
730 {
731 	int ret = SSL_TLSEXT_ERR_NOACK;
732 	int al = SSL_AD_UNRECOGNIZED_NAME;
733 
734 	/* The handling of the ECPointFormats extension is done elsewhere, namely in
735 	 * ssl3_choose_cipher in s3_lib.c.
736 	 */
737 	/* The handling of the EllipticCurves extension is done elsewhere, namely in
738 	 * ssl3_choose_cipher in s3_lib.c.
739 	 */
740 
741 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
742 		ret = s->ctx->tlsext_servername_callback(s, &al,
743 		    s->ctx->tlsext_servername_arg);
744 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
745 		ret = s->initial_ctx->tlsext_servername_callback(s, &al,
746 		    s->initial_ctx->tlsext_servername_arg);
747 
748 	switch (ret) {
749 	case SSL_TLSEXT_ERR_ALERT_FATAL:
750 		ssl3_send_alert(s, SSL3_AL_FATAL, al);
751 		return -1;
752 	case SSL_TLSEXT_ERR_ALERT_WARNING:
753 		ssl3_send_alert(s, SSL3_AL_WARNING, al);
754 		return 1;
755 	case SSL_TLSEXT_ERR_NOACK:
756 	default:
757 		return 1;
758 	}
759 }
760 
761 int
ssl_check_clienthello_tlsext_late(SSL * s)762 ssl_check_clienthello_tlsext_late(SSL *s)
763 {
764 	int ret = SSL_TLSEXT_ERR_OK;
765 	int al = 0;	/* XXX gcc3 */
766 
767 	/* If status request then ask callback what to do.
768  	 * Note: this must be called after servername callbacks in case
769  	 * the certificate has changed, and must be called after the cipher
770 	 * has been chosen because this may influence which certificate is sent
771  	 */
772 	if ((s->tlsext_status_type != -1) &&
773 	    s->ctx && s->ctx->tlsext_status_cb) {
774 		int r;
775 		SSL_CERT_PKEY *certpkey;
776 		certpkey = ssl_get_server_send_pkey(s);
777 		/* If no certificate can't return certificate status */
778 		if (certpkey == NULL) {
779 			s->tlsext_status_expected = 0;
780 			return 1;
781 		}
782 		/* Set current certificate to one we will use so
783 		 * SSL_get_certificate et al can pick it up.
784 		 */
785 		s->cert->key = certpkey;
786 		r = s->ctx->tlsext_status_cb(s,
787 		    s->ctx->tlsext_status_arg);
788 		switch (r) {
789 			/* We don't want to send a status request response */
790 		case SSL_TLSEXT_ERR_NOACK:
791 			s->tlsext_status_expected = 0;
792 			break;
793 			/* status request response should be sent */
794 		case SSL_TLSEXT_ERR_OK:
795 			if (s->tlsext_ocsp_resp)
796 				s->tlsext_status_expected = 1;
797 			else
798 				s->tlsext_status_expected = 0;
799 			break;
800 			/* something bad happened */
801 		case SSL_TLSEXT_ERR_ALERT_FATAL:
802 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
803 			al = SSL_AD_INTERNAL_ERROR;
804 			goto err;
805 		}
806 	} else
807 		s->tlsext_status_expected = 0;
808 
809  err:
810 	switch (ret) {
811 	case SSL_TLSEXT_ERR_ALERT_FATAL:
812 		ssl3_send_alert(s, SSL3_AL_FATAL, al);
813 		return -1;
814 	case SSL_TLSEXT_ERR_ALERT_WARNING:
815 		ssl3_send_alert(s, SSL3_AL_WARNING, al);
816 		return 1;
817 	default:
818 		return 1;
819 	}
820 }
821 
822 int
ssl_check_serverhello_tlsext(SSL * s)823 ssl_check_serverhello_tlsext(SSL *s)
824 {
825 	int ret = SSL_TLSEXT_ERR_NOACK;
826 	int al = SSL_AD_UNRECOGNIZED_NAME;
827 
828 	ret = SSL_TLSEXT_ERR_OK;
829 
830 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
831 		ret = s->ctx->tlsext_servername_callback(s, &al,
832 		    s->ctx->tlsext_servername_arg);
833 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
834 		ret = s->initial_ctx->tlsext_servername_callback(s, &al,
835 		    s->initial_ctx->tlsext_servername_arg);
836 
837 	/* If we've requested certificate status and we wont get one
838  	 * tell the callback
839  	 */
840 	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) &&
841 	    s->ctx && s->ctx->tlsext_status_cb) {
842 		int r;
843 
844 		free(s->tlsext_ocsp_resp);
845 		s->tlsext_ocsp_resp = NULL;
846 		s->tlsext_ocsp_resp_len = 0;
847 
848 		r = s->ctx->tlsext_status_cb(s,
849 		    s->ctx->tlsext_status_arg);
850 		if (r == 0) {
851 			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
852 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
853 		}
854 		if (r < 0) {
855 			al = SSL_AD_INTERNAL_ERROR;
856 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
857 		}
858 	}
859 
860 	switch (ret) {
861 	case SSL_TLSEXT_ERR_ALERT_FATAL:
862 		ssl3_send_alert(s, SSL3_AL_FATAL, al);
863 		return -1;
864 	case SSL_TLSEXT_ERR_ALERT_WARNING:
865 		ssl3_send_alert(s, SSL3_AL_WARNING, al);
866 		return 1;
867 	case SSL_TLSEXT_ERR_NOACK:
868 	default:
869 		return 1;
870 	}
871 }
872 
873 /* Since the server cache lookup is done early on in the processing of the
874  * ClientHello, and other operations depend on the result, we need to handle
875  * any TLS session ticket extension at the same time.
876  *
877  *   ext_block: a CBS for the ClientHello extensions block.
878  *   ret: (output) on return, if a ticket was decrypted, then this is set to
879  *       point to the resulting session.
880  *
881  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
882  * ciphersuite, in which case we have no use for session tickets and one will
883  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
884  *
885  * Returns:
886  *    TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket.
887  *    TLS1_TICKET_NONE: no ticket was found (or was ignored, based on settings).
888  *    TLS1_TICKET_EMPTY: a zero length extension was found, indicating that the
889  *       client supports session tickets but doesn't currently have one to offer.
890  *    TLS1_TICKET_NOT_DECRYPTED: either s->tls_session_secret_cb was
891  *       set, or a ticket was offered but couldn't be decrypted because of a
892  *       non-fatal error.
893  *    TLS1_TICKET_DECRYPTED: a ticket was successfully decrypted and *ret was set.
894  *
895  * Side effects:
896  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
897  *   a new session ticket to the client because the client indicated support
898  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
899  *   a session ticket or we couldn't use the one it gave us, or if
900  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
901  *   Otherwise, s->tlsext_ticket_expected is set to 0.
902  */
903 int
tls1_process_ticket(SSL * s,CBS * ext_block,int * alert,SSL_SESSION ** ret)904 tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret)
905 {
906 	CBS extensions, ext_data;
907 	uint16_t ext_type = 0;
908 
909 	s->tlsext_ticket_expected = 0;
910 	*ret = NULL;
911 
912 	/*
913 	 * If tickets disabled behave as if no ticket present to permit stateful
914 	 * resumption.
915 	 */
916 	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
917 		return TLS1_TICKET_NONE;
918 
919 	/*
920 	 * An empty extensions block is valid, but obviously does not contain
921 	 * a session ticket.
922 	 */
923 	if (CBS_len(ext_block) == 0)
924 		return TLS1_TICKET_NONE;
925 
926 	if (!CBS_get_u16_length_prefixed(ext_block, &extensions)) {
927 		*alert = SSL_AD_DECODE_ERROR;
928 		return TLS1_TICKET_FATAL_ERROR;
929 	}
930 
931 	while (CBS_len(&extensions) > 0) {
932 		if (!CBS_get_u16(&extensions, &ext_type) ||
933 		    !CBS_get_u16_length_prefixed(&extensions, &ext_data)) {
934 			*alert = SSL_AD_DECODE_ERROR;
935 			return TLS1_TICKET_FATAL_ERROR;
936 		}
937 
938 		if (ext_type == TLSEXT_TYPE_session_ticket)
939 			break;
940 	}
941 
942 	if (ext_type != TLSEXT_TYPE_session_ticket)
943 		return TLS1_TICKET_NONE;
944 
945 	if (CBS_len(&ext_data) == 0) {
946 		/*
947 		 * The client will accept a ticket but does not currently
948 		 * have one.
949 		 */
950 		s->tlsext_ticket_expected = 1;
951 		return TLS1_TICKET_EMPTY;
952 	}
953 
954 	if (s->tls_session_secret_cb != NULL) {
955 		/*
956 		 * Indicate that the ticket could not be decrypted rather than
957 		 * generating the session from ticket now, trigger abbreviated
958 		 * handshake based on external mechanism to calculate the master
959 		 * secret later.
960 		 */
961 		return TLS1_TICKET_NOT_DECRYPTED;
962 	}
963 
964 	return tls_decrypt_ticket(s, &ext_data, alert, ret);
965 }
966 
967 /* tls_decrypt_ticket attempts to decrypt a session ticket.
968  *
969  *   ticket: a CBS containing the body of the session ticket extension.
970  *   psess: (output) on return, if a ticket was decrypted, then this is set to
971  *       point to the resulting session.
972  *
973  * Returns:
974  *    TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket.
975  *    TLS1_TICKET_NOT_DECRYPTED: the ticket couldn't be decrypted.
976  *    TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set.
977  */
978 static int
tls_decrypt_ticket(SSL * s,CBS * ticket,int * alert,SSL_SESSION ** psess)979 tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
980 {
981 	CBS ticket_name, ticket_iv, ticket_encdata, ticket_hmac;
982 	SSL_SESSION *sess = NULL;
983 	unsigned char *sdec = NULL;
984 	size_t sdec_len = 0;
985 	const unsigned char *p;
986 	unsigned char hmac[EVP_MAX_MD_SIZE];
987 	HMAC_CTX *hctx = NULL;
988 	EVP_CIPHER_CTX *cctx = NULL;
989 	SSL_CTX *tctx = s->initial_ctx;
990 	int slen, hlen, iv_len;
991 	int alert_desc = SSL_AD_INTERNAL_ERROR;
992 	int ret = TLS1_TICKET_FATAL_ERROR;
993 
994 	*psess = NULL;
995 
996 	if (!CBS_get_bytes(ticket, &ticket_name, 16))
997 		goto derr;
998 
999 	/*
1000 	 * Initialize session ticket encryption and HMAC contexts.
1001 	 */
1002 	if ((cctx = EVP_CIPHER_CTX_new()) == NULL)
1003 		goto err;
1004 	if ((hctx = HMAC_CTX_new()) == NULL)
1005 		goto err;
1006 
1007 	if (tctx->tlsext_ticket_key_cb != NULL) {
1008 		int rv;
1009 
1010 		/*
1011 		 * The API guarantees EVP_MAX_IV_LENGTH bytes of space for
1012 		 * the iv to tlsext_ticket_key_cb().  Since the total space
1013 		 * required for a session cookie is never less than this,
1014 		 * this check isn't too strict.  The exact check comes later.
1015 		 */
1016 		if (CBS_len(ticket) < EVP_MAX_IV_LENGTH)
1017 			goto derr;
1018 
1019 		if ((rv = tctx->tlsext_ticket_key_cb(s,
1020 		    (unsigned char *)CBS_data(&ticket_name),
1021 		    (unsigned char *)CBS_data(ticket), cctx, hctx, 0)) < 0)
1022 			goto err;
1023 		if (rv == 0)
1024 			goto derr;
1025 		if (rv == 2) {
1026 			/* Renew ticket. */
1027 			s->tlsext_ticket_expected = 1;
1028 		}
1029 
1030 		if ((iv_len = EVP_CIPHER_CTX_iv_length(cctx)) < 0)
1031 			goto err;
1032 		/*
1033 		 * Now that the cipher context is initialised, we can extract
1034 		 * the IV since its length is known.
1035 		 */
1036 		if (!CBS_get_bytes(ticket, &ticket_iv, iv_len))
1037 			goto derr;
1038 	} else {
1039 		/* Check that the key name matches. */
1040 		if (!CBS_mem_equal(&ticket_name,
1041 		    tctx->tlsext_tick_key_name,
1042 		    sizeof(tctx->tlsext_tick_key_name)))
1043 			goto derr;
1044 		if ((iv_len = EVP_CIPHER_iv_length(EVP_aes_128_cbc())) < 0)
1045 			goto err;
1046 		if (!CBS_get_bytes(ticket, &ticket_iv, iv_len))
1047 			goto derr;
1048 		if (!EVP_DecryptInit_ex(cctx, EVP_aes_128_cbc(), NULL,
1049 		    tctx->tlsext_tick_aes_key, CBS_data(&ticket_iv)))
1050 			goto err;
1051 		if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
1052 		    sizeof(tctx->tlsext_tick_hmac_key), EVP_sha256(),
1053 		    NULL))
1054 			goto err;
1055 	}
1056 
1057 	/*
1058 	 * Attempt to process session ticket.
1059 	 */
1060 
1061 	if ((hlen = HMAC_size(hctx)) < 0)
1062 		goto err;
1063 
1064 	if (hlen > CBS_len(ticket))
1065 		goto derr;
1066 	if (!CBS_get_bytes(ticket, &ticket_encdata, CBS_len(ticket) - hlen))
1067 		goto derr;
1068 	if (!CBS_get_bytes(ticket, &ticket_hmac, hlen))
1069 		goto derr;
1070 	if (CBS_len(ticket) != 0) {
1071 		alert_desc = SSL_AD_DECODE_ERROR;
1072 		goto err;
1073 	}
1074 
1075 	/* Check HMAC of encrypted ticket. */
1076 	if (HMAC_Update(hctx, CBS_data(&ticket_name),
1077 	    CBS_len(&ticket_name)) <= 0)
1078 		goto err;
1079 	if (HMAC_Update(hctx, CBS_data(&ticket_iv),
1080 	    CBS_len(&ticket_iv)) <= 0)
1081 		goto err;
1082 	if (HMAC_Update(hctx, CBS_data(&ticket_encdata),
1083 	    CBS_len(&ticket_encdata)) <= 0)
1084 		goto err;
1085 	if (HMAC_Final(hctx, hmac, &hlen) <= 0)
1086 		goto err;
1087 
1088 	if (!CBS_mem_equal(&ticket_hmac, hmac, hlen))
1089 		goto derr;
1090 
1091 	/* Attempt to decrypt session data. */
1092 	sdec_len = CBS_len(&ticket_encdata);
1093 	if ((sdec = calloc(1, sdec_len)) == NULL)
1094 		goto err;
1095 	if (EVP_DecryptUpdate(cctx, sdec, &slen, CBS_data(&ticket_encdata),
1096 	    CBS_len(&ticket_encdata)) <= 0)
1097 		goto derr;
1098 	if (EVP_DecryptFinal_ex(cctx, sdec + slen, &hlen) <= 0)
1099 		goto derr;
1100 
1101 	slen += hlen;
1102 
1103 	/*
1104 	 * For session parse failures, indicate that we need to send a new
1105 	 * ticket.
1106 	 */
1107 	p = sdec;
1108 	if ((sess = d2i_SSL_SESSION(NULL, &p, slen)) == NULL)
1109 		goto derr;
1110 	*psess = sess;
1111 	sess = NULL;
1112 
1113 	ret = TLS1_TICKET_DECRYPTED;
1114 	goto done;
1115 
1116  derr:
1117 	ERR_clear_error();
1118 	s->tlsext_ticket_expected = 1;
1119 	ret = TLS1_TICKET_NOT_DECRYPTED;
1120 	goto done;
1121 
1122  err:
1123 	*alert = alert_desc;
1124 	ret = TLS1_TICKET_FATAL_ERROR;
1125 	goto done;
1126 
1127  done:
1128 	freezero(sdec, sdec_len);
1129 	EVP_CIPHER_CTX_free(cctx);
1130 	HMAC_CTX_free(hctx);
1131 	SSL_SESSION_free(sess);
1132 
1133 	return ret;
1134 }
1135